Windows privileges are named rights carried in a user’s access token that allow specific powerful actions, separate from file permissions. Several are effectively a path to SYSTEM: SeImpersonate (impersonate tokens, used by Potato attacks), SeBackup/SeRestore (read or write any file, so dump the SAM and hives), SeDebug (open any process, including LSASS), SeTakeOwnership (take ownership of any object), and SeLoadDriver. The first check on a Windows host is whoami /priv to see which dangerous privileges the token holds.
What Windows privileges are
Beyond file permissions, Windows grants privileges, named rights in a user’s token that permit specific system actions. Examples include backing up files, debugging processes, loading drivers, and impersonating tokens.
Many are harmless or admin-only, but several are dangerous in the wrong hands, because they let a non-admin reach data or processes that lead to SYSTEM. Service and operator accounts sometimes hold them unnecessarily.
The dangerous privileges and payload
The attacker lists token privileges and abuses any powerful one:
- List:
whoami /priv - SeImpersonatePrivilege: run a Potato attack to get SYSTEM.
- SeBackupPrivilege: read protected files, for example copy the SAM and SYSTEM hives, then dump hashes offline:
reg save HKLM\SAM sam.hiveandreg save HKLM\SYSTEM system.hivethensecretsdump.py -sam sam.hive -system system.hive LOCAL. - SeDebugPrivilege: open and dump LSASS to harvest credentials.
- SeRestore / SeTakeOwnership: overwrite or take ownership of protected files and binaries to plant code.
Documented techniques shown for defenders.
How to defend
- Grant powerful privileges only to accounts that genuinely need them, following least privilege.
- Review who holds SeImpersonate, SeBackup, SeRestore, SeDebug, SeTakeOwnership, and SeLoadDriver.
- Use managed/virtual service accounts with minimal rights.
- Protect LSASS (Credential Guard) so SeDebug abuse yields less.
- Audit token privileges across the estate and monitor for their use.